Friday, March 30, 2007

This week on reflection need no introduction. Jeff Williams, is one of the major contributors in webappsec community. He has written many whitepapers, spoken at many conferences including Secure Software Summit, OWASP conferences, ISSA InfoSec Conference, NSA High Confidence Software and Systems Conference (HCSS), JavaOne, National Computer Security Conference (NCSC), etc, written many tools available at OWASP and also chairs OWASP foundation. Jeff Williams has done a lot of work in promoting awareness of web application security.

On his reflection, Jeff shares with us how he got into web application security and his journey with OWASP and a little bit about his personal life and interests. In his own words“I set out to be a user interface guy, but I got into security accidentally. I was working at TRW in 1992 on the user interface for a big Navy system that just happened to be highly secure – targeting B2 in the Orange Book. I took on an R&D project to port the user interface to the new compartmented mode workstation (what became Trusted Solaris) and I found that I really liked the challenge of securing such a complex system.

Then Java 1.0 came along and I got NIST and NRL funding to do security research. At the time, we thought the Java sandbox was a good idea, but that there were attacks that might bypass it. So I wrote a special classloader that modified the bytecode to wrap security relevant method calls with a reference monitor. After that I spent several years developing a Java-based multilevel secure network guard on Trusted Solaris. That guard handled HTTP, FTP, TDS, and a number of other protocols – sort of a very early application firewall. But unlike the modern WAFs, we took a whitelist approach where you would define exactly the data formats and rules for allowing messages.

In the mid-90’s, I chaired the group that authored the SSE-CMM, which is now ISO 21827. As it turns out, the processes involved in systems security engineering are quite similar to those necessary for secure software development. I’m very glad to see that the idea of assurance arguments from my work is starting to be used in the application security world.

Then in 1998, while I was the technical director of the Global Security Practice at Exodus Communications, a Fortune 10 company approached us and said “We’d like to host our applications with you, but we have this rule – every line of code has to be reviewed before it goes on the Internet.” So I started an application security practice and started providing application assessments, developer training, and help with security requirements and architecture. We built a successful practice securing some of the biggest and most complex web applications in the world.

In April 2002, together with Dave Wichers, Noelle Hardy, and some other great folks, I started Aspect Security to focus exclusively on application security. I just feel so fortunate to get to work with such an amazing group of consultants and customers. I’m having the most fun of my professional career.

I first heard of OWASP in 2001 from Chuck Pfleeger (the author of Security in Computing). The idea of a free and open community for application security was an interesting idea. At the time, getting companies to focus on application security was difficult. In meetings with several government agencies, they acknowledged that it was an issue, but that they were managing to the SANS Top 20. I came home and literally in the shower said to myself, “I wish we had an application security top ten…” So a small team of us at Aspect took the lead in drafting the first OWASP Top Ten.

Later, Aspect donated WebGoat, a hands-on training environment for application security issues that we had developed for our courses. A huge number of organizations, including Google, use WebGoat today to teach their developers about application security. We started to see that participation in OWASP allowed Aspect to demonstrate our skills in a very constructive way, and many of our customers have contacted us after seeing our participation in OWASP.

I was honored to take over the leadership of OWASP in 2003. At that time, we had a number of great contributors, but OWASP itself was just a domain name and a few small projects. So I got us set up as a 501c3 nonprofit organization and put a management structure in place. I want the OWASP Foundation to provide a free, open, supportive community infrastructure for application security projects. We’re making the barriers to entry for contribution so low that security experts will be motivated to make the effort and share their expertise.

One of the key challenges has been to ensure that OWASP is not influenced by commercial interests. When I set up the AppSec conference and local chapter rules, I made sure that vendors are cannot use OWASP to market their products. We’re also starting to ferret out abuse of the OWASP brand by companies that claim their products “address the OWASP Top Ten” or enable “OWASP Compliance.” The local chapters have been growing very quickly and starting to contribute back to the mothership. Our conferences have also been a great experience.

I think the switch to the MediaWiki platform in 2006 was a major step for OWASP. Prior to that, contributing content was a difficult and painful process. Now, anyone can create an account and contribute easily. We have a team set up to review all the contributions and the number of abuses in our first year has been astoundingly low (less than 10 incidents). We’re to the point now where we get dozens of articles and contributions every day. I don’t see how a non-open approach to building an application security body of knowledge can possibly keep up with our productivity.

We’re still a long way from the point where a company can go to OWASP for everything they need in order to build, acquire, and operate secure applications… but we’ve got an incredible process and we’re working very hard to get there.

I have a wonderful wife Jennifer and three kids, Chance (9), Zack (7), and Zoe (1). We live in the woods and spend a lot of time outside with our four Labrador retrievers. I’m very much into sports – I rowed on the crew team at U.Va. and still play basketball three times a week. For a while I was into extreme rollerblading and then I got into mountain bike trials – I broke a lot of equipment, but never had any serious injuries :)"

Based out of Ashton, MD, Jeff is 39 years old and is the CEO of Aspect Security. Below are his contributions to the webappsec community

OWASP WebGoathttp://www.owasp.org/webgoatI built the first WebGoat back in 1998 as a controller servlet with a few simple lessons on SQL injection, cross-site scripting, and access control. Since then, it’s grown to have dozens of lessons and has been revamped several times. Many people have contributed to the project and it’s still quite active.

OWASP Stingerhttp://www.owasp.org/stingerStinger was a simple idea that every part of every HTTP request should be validated with regular expressions. A mechanism for enforcing a positive security model for validation in an application. It uses a Java “filter” to ensure that all requests are validated and even developers can’t avoid it.

Friday, March 23, 2007

This week on Reflection we have someone who has contributed to the webappsec community in many different ways. We all know Robert Auger through http://www.cgisecurity.com/. CGI Security is one of the very early website on the topic and has a wealth of information on web application security. Robert is also a Co-Founder of the Web Application Security Consortium and a founder and moderator of the WASC mailing list. He also co-leads the WASC articles project. Recently he has started http://qasec.com/ where he discusses security testing in the PDLC with an emphasis in QA. He is also leading the WASC Threat Classification (TC v2) project which is currently underway.

Here he shares with us how he got started in webappsec. In his own words

My interest in security sparked in the mid 90's after getting infected with the Stoned Empire Monkey Virus. I was very curious how it and other viruses worked, executed, and hid on my machine. Around the same time I was given access to my high school's VAX/VMS network and met up with a few people creating/setting up fake login screens/key loggers on the dumb terminals spread throughout the school. This VMS network was where I learned my first language 'DCL' and helped out on the local school student run bbs. Sometime later I started reading about 'cgi vulnerabilities' such as the infamous 'phf vulnerability' and was amazed that with nothing more than a browser, I could take over a machine. Since then web based attack research has been my primary hobby (others include finding ways to abuse crawlers and parsers, co running The Web Application Security Consortium, and whitehat/blackhat SEO research).

Based out of Silicon Valley, California, Robert is only in his late 20s, and currently works for a large multinational organization where he focuses on anything application security related. I have had the pleasure of meeting him on a few occasions and not only he is a very friendly guy but very passionate about web application security and can speak to you for hours on the topic. He has enormous knowledge in webappsec field and one of the very few people who also possess good knowledge of security in the Software Development Life Cycle.

Saturday, March 17, 2007

This week on Reflection we have a very young guy from the webappsec field. Billy Hoffman is a lead security researcher for SPI dynamics where he works on discovering and automating web application vulnerabilities and improving their crawling technology. He has presented at a lot of conferences including (ToorCon, Black Hat, etc). Billy’s knowledge on Ajax is tremendous and he has written many papers and presented at many conferences on dangers of using Ajax. Based out of Atlanta, Georgia, he is only 26 years old, the youngest webappsec expert I know of (I am sure there may be younger people too but I am yet to meet them) and like every webappsec expert, his ability to think differently has helped him achieve so much in such a short time. Here he shares with us how he got started in webappsec field. In his own words

“I got started in fall of 1996. My older brother had left for college and he was the one who understood computers. One day the computer stopped working and I wanted to play Doom. So I started fiddling with it and fixed it. About this time I also got a graphing calculator for geometry, so I spend my days writing programs for the TI-85 in Basic and z80 assembler, and my nights writing Basic and learning C. Soon afterwards I actually used one of those AOL disks, discovered the Internet, and learned how to create fake accounts and phish people in the New User Lobby. I wasn’t much of a network guy, let a lone a web hacking guy. In college most of my hacking was focused on hardware or other things that popped on my radar like spy software. I met Caleb Sima, the co-founder and CTO of SPI Dynamics at an Atlanta hacker conference, and he told me to come in for an interview. I was amazed by how vulnerable companies were through their websites. I started in QA, where my job was to verify our crawler and audit engines worked properly. Pretty quickly I saw ways we could improve both, I am now the lead researcher focusing on crawlers and automated vulnerability detection. I continue to speak at security conferences much like I did in college. The only differences now are I speak under my real name, I have an expense report, and there are more middle aged men in Dockers and polos and fewer guys in black t-shirts and green hair! I’ve done a good bit of non-web stuff too. Mainly lots of presentations at different conferences (Interz0ne, Phreaknic, The Fifth Hope), some articles for 2600, O’Reilly’s Make Magazine, etc.”

I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen. Below is a list of his contribution to the industry.

“Well, ain't it a small world, spiritually speaking. Pete and Delmar just been baptized and saved. I guess I'm the only one that remains unaffiliated.” –Oh Brother Where Art Thou

Tools:

StripSnoop - Suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripe cards. This has received a lot of attention, having been Slashdotted twice, appeared on G4TechTV’s The Screen Savers, and at O’Reilly Emerging Technologies Conference Makers Faire.http://stripesnoop.sourceforge.net/

Friday, March 09, 2007

This week on Reflection we have another big contributor to webappsec field. Sheeraj Shah is a founder of Net Square Solutions where he performs consulting, training and R&D activities. He has done a lot of research on web application and web services security. Sheeraj started with web application security in mid 2000 when he was working on WebLogic application server and discovered some architecture level security issues. He quickly found out similar issues in other products like WebSphere, JRun, Java Web Server etc. and posted a lot of advisories on SecurityFocus. Since then he has performed numerous network security pen testing and application assessments for many significant companies.

Based out of Ahmedabad, India, Sheeraj is 31 years old and has a lot of experience in web application security and has authored a couple of books, published many articles, presented at many conferences (including Blackhat, HackInTheBox, RSA, etc), and posted several vulnerabilities and advisories at securityfocus. Below is a compilation of most of his work including article, whitepapers, books, presentations, etc

Sheeraj has come up with interesting ideas before and i am sure he has a lot more to contribute to the webappsec industry. If you dont already follow his blog then I suggest you should definitely keep an eye on it.

Friday, March 02, 2007

If we hear so much about web application firewalls and their role as a first line of defense in protecting our web applications, a large amount of credit has to go to Ivan Ristic. Ivan Ristic is the creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine). He started playing in the webappsec space sometime around 2002 and working seriously since 2004. Based out of London, UK, he is only 33 years old and works for Breach Security. He is currently in charge of the ModSecurity product line, which includes ModSecurity, sensor appliances based around it and management appliances. Ivan also wrote Apache Security for O'Reilly, a web security guide for administrators, system architects, and programmers. Prior to web application security, he has worked as a developer, system architect and technical director in the software development industry. He shared briefly his journey with ModSecurity for us. In his own words"I started developing web applications in 1997. At that time no one really thought about web application security. Since the applications I worked on were sensitive, I had to deal with the problem then or shortly there after. Over time it became apparent to me that designing 100% secure web applications is simply not possible. And even pretty good security is difficult to achieve for an average programmer. The only choice then (and it's the same today) was to fix applications. So the real choice was between having IDS (a network level tool) or a proper HTTP-level tool. Using IDS to deal with HTTP-level problems is very difficult. They will not reassemble transactions and are typically very easy to evade. On top of that most can't see into SSL traffic. So I don't really think there was a choice.

I started working on ModSecurity in November 2002. I came up with a beta version pretty quickly. If I recall 1.2 was the first version to be made available to the public. But it wasn't until 1.5 that I felt comfortable enough with the product to tell others they can use it in production. Version 1.5 was out in May 2003. Although 1.4.2 (February 2003) was actually ready for production, version 1.5 had a web site, manual, mailing lists, etc. In other words the whole package needed for a project.

My biggest hurdle was lack of documentation for Apache and (especially) Apache 2 programming. That's where I spent most of my time in the first couple of years. Getting content interception to work in Apache 1.3.x was difficult because there is no API in Apache 1.3.x for that purpose (so my solution is a hack). And it's been very difficult in Apache 2.0.x because there was no documentation and when there was - it was outdated. In terms of code I always worked on the project alone. But the community is not only about code - I've had a lot of help from various people over the years, in one form or another.

The biggest decision I made was about the model. At the time I was thinking of building a separate program or writing an Apache module. I am still happy with my decision (to write an Apache module) because it allowed me to focus on the areas I really cared about. Plus it allowed me to learn a lot about Apache and that lead me to write Apache Security, which was a tremendous project on its own.

I didn't work for a security company up until 2004. In 2004 I started my own business (Thinking Stone) to support ModSecurity. Thinking Stone was subsequently bought by Breach Security in 2006. I am still working for Breach Security today. We are a web application firewall company.As for the future of Web Application Firewall, I cannot see a world without them. Even if web applications magically become secure overnight, a large part of what I think WAFs do is auditing and monitoring. In other words - defence in depth. I don't see that need ever going away."

Ivan spends his time thinking about web intrusion detection, web application security and security patterns. When he is not working, he spends his time cooking, photography, and studying the English language but most of the time he ends up back in the webappsec space. He is probably the first to talk about the concept of "impedance mismatch" between applications and external security layers. Below are various other contributions from him